Red Hat Bugzilla – Bug 442187
[PATCH] support for providing console password in STDIN
Last modified: 2015-01-04 18:31:50 EST
Description of problem:
Currently the IDM console accepts an undocumented command line argument "-w
password", which allows for logging in to administration server without
interactive password prompt by supplying the plain text password on command line.
There's a serious security vulnerability here: the plain text password is
clearly visible to all other users of the system where the console runs, as its
arguments ca be read from the system's process table.
A much better approach would be to supply the password on standard input.
Implementing this was quite simple - I'm attaching a patch that implements the
option "-W" (that's inspired by the arguments to OpenLDAP's ldapsearch utility:
over there "-w" stands for password on the command line, "-W" is for password on
standard input. "-y filename" means password will be read from a file - it would
be a nice idea to implement that too).
Version-Release number of selected component (if applicable): 1.1.0
Created attachment 302223 [details]
Patch against Console.java
Created attachment 302224 [details]
ZIP with the compiled Console class
For your testing convenience, I'm attaching a compiled version of the modified
In order to use it, simply replace the Console class files in the
idm-console-mcc-1.1.0.jar JAR archive, they reside in JAR's subdirectory named
Created attachment 302225 [details]
A better patch
Another version of the patch:
1) in order to be consistent with FDS's ldapsearch argument naming conventions,
it uses "-w -" for reading password from standard input. FDS's ldapsearch
reserves "-W" for reading SSL certificate password.
2) implements the "-y" argument for reading password from a file
3) documents the (until now) undocumented options in the syntax help output
Created attachment 302231 [details]
I forgot to close the password file after I'm done with it. This should be the
Created attachment 302232 [details]
ZIP with the compiled class - latest version
How about checking this in? There's nothing more preventing the checkin AFAIK.
Created attachment 310084 [details]
cvs commit log
idm-console-framework-1.1.2-1.fc8 has been submitted as an update for Fedora 8.
idm-console-framework-1.1.2-1.fc9 has been submitted as an update for Fedora 9.
idm-console-framework-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
idm-console-framework-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
verified on rhel5 32bit & hp-ux
test result: pass
pass means the following
1. no password being recorded in log files (including admin server access and error log file and dirsrv server access and error log file)
2. -w option still works fine
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.